I am trying to create an application EAR file with role to principal mappings that are specific to the application. For example, an EJB in my EAR file has granted permission to role "role_1", while user "user_2" in the user repository (e.g. an LDAP directory) has role "role_2". I want to grant "role_1" to "user_2" for this EAR file only.

to specify role to principal mappings in jboss.xml, jboss-web.xml and jboss-app.xml but it did not work. When I log in as "user_2" and access the EJB, instead of getting the role "role_1" from the deployment descriptor, I still only get the role "role_2" from LDAP, and cannot access the EJB. When I log in as another user that has role "role_1" in LDAP, I can access the EJB successfully.

I tried this in JBoss 4.0.1 SP 1, using LdapLoginModule to access the user repository in an LDAP directory.

I had the same expectations as you, but we were both wrong! Here is what is the real usage of these mappings:

"The only use of the security-role settings in the jboss.xml and jboss-web.xml descriptors is to assign additional roles to a run-as identity. These have no affect for authenticated users. The user to role mapping for actual users is based on the JAAS login module configuration and associated security store." (Scott Stark)